{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3651", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T16:26:41.553Z", "datePublished": "2026-03-21T03:26:47.030Z", "dateUpdated": "2026-04-08T16:52:31.799Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:31.799Z"}, "affected": [{"vendor": "hakeemnala", "product": "Build App Online", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.23", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author."}], "title": "Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76c5a5e8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L565"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L565"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L556"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L556"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-app-online.php#L233"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-build-app-online.php#L233"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ronnachai Sretawat Na Ayutaya"}, {"lang": "en", "type": "finder", "value": "Ronnachai Chaipha"}], "timeline": [{"time": "2026-03-20T15:10:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:17:54.772965Z", "id": "CVE-2026-3651", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:54:48.928Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3651", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:17:54.772965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:17:55.816Z"}}], "cna": {"title": "Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Ronnachai Sretawat Na Ayutaya"}, {"lang": "en", "type": "finder", "value": "Ronnachai Chaipha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "hakeemnala", "product": "Build App Online", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.23"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:10:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76c5a5e8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L565"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L565"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L556"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L556"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-app-online.php#L233"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-build-app-online.php#L233"}], "descriptions": [{"lang": "en", "value": "The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:31.799Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3651", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:31.799Z", "dateReserved": "2026-03-06T16:26:41.553Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:47.030Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author."}, {"lang": "es", "value": "El plugin Build App Online para WordPress es vulnerable a acceso no autorizado en todas las versiones hasta la 1.0.23, inclusive. Esto se debe a que el plugin registra la acci\u00f3n AJAX 'build-app-online-update-vendor-product' a trav\u00e9s de wp_ajax_nopriv_ sin las comprobaciones de autenticaci\u00f3n adecuadas, verificaci\u00f3n de capacidades o validaci\u00f3n de nonce en la funci\u00f3n update_vendor_product(). La funci\u00f3n acepta un ID de publicaci\u00f3n proporcionado por el usuario de la solicitud y llama a wp_update_post() para modificar el campo post_author sin validar si el usuario tiene permiso para modificar la publicaci\u00f3n especificada. Esto hace posible que atacantes no autenticados modifiquen el post_author de publicaciones arbitrarias a 0 (dejando las publicaciones hu\u00e9rfanas de sus autores leg\u00edtimos), o que atacantes autenticados reclamen la propiedad de cualquier publicaci\u00f3n al establecerse a s\u00ed mismos como el autor."}], "id": "CVE-2026-3651", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:34.023", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L556"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L565"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-build-app-online.php#L233"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L556"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L565"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-app-online.php#L233"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76c5a5e8a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.23]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Build App Online", "source": "cna", "vendor": "hakeemnala"}, "product": "build_app_online", "vendor": "hakeemnala"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:37:32.468405+00:00", "value": {"mitigation_remediation": ["Upgrade the Build App Online plugin to the latest version, which removes the unauthenticated AJAX action and verifies user capabilities before updating post authors.", "If an update is not immediately possible, edit the plugin code to remove the 'build-app-online-update-vendor-product' hook from the wp_ajax_nopriv list, or use a security plugin or .htaccess rule to block unauthenticated access to that endpoint.", "After applying the fix, verify that no unauthenticated requests can change post authors, either by testing with a non\u2011logged\u2011in user or by running a security scan that looks for writable post_author fields."], "summary": {"action": "Apply Patch", "impact": "Unrestricted Post Author Modification"}, "threat_synthesis": {"affected_systems": "The vulnerable code resides in the Build App Online plugin developed by hakeemnala. All releases up to and including version 1.0.23 contain the insecure AJAX action. Any WordPress installation that has this plugin installed and is running a version \u22641.0.23 is affected. The issue affects the administrative area of the site, but the attack vector operates through a publicly accessible AJAX route.", "description_and_impact": "The Build App Online plugin for WordPress registers an AJAX endpoint named 'build-app-online-update-vendor-product' that accepts a post ID from the requester and invokes wp_update_post() to change the post_author field. Because the endpoint is registered with wp_ajax_nopriv and lacks a capability check, nonce verification, or any authentication step, an attacker can send the request without logging in. This allows an unauthenticated user to set the author of any post to themselves or to zero, effectively orphaning the post. The core weakness is a missing authorization check (CWE\u2011862), resulting in potential defacement, content hijacking, and denial of rightful ownership.", "risk_and_exploitability": "The severity score of 5.3 indicates moderate risk. The absence of authentication checks makes the vulnerability trivial to exploit from any network that can reach the WordPress site. Because the EPSS score is not available, the likelihood of exploitation is unclear, but the straightforward attack path and lack of safeguards suggest a high probability of real\u2011world abuse. The vulnerability is not listed in the CISA KEV catalog; however, sites running the affected plugin remain at risk of content takeover or defacement until the issue is remediated."}}}}, "created": "2026-03-23T09:50:38.757640+00:00", "updated": "2026-03-25T14:42:11.465775+00:00", "vendors": ["hakeemnala", "hakeemnala$PRODUCT$build_app_online", "wordpress", "wordpress$PRODUCT$wordpress"]}